CVE-2023-20196 — Unrestricted File Upload in Cisco Identity Services Engine Software

CWE-434 — Unrestricted File Upload CWE-787 — Out-of-bounds Write4 documents4 sources

Severity

7.2HIGHNVD

CNA4.7

EPSS

0.4%

top 37.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Identity Services Engine Software Cisco Identity Services Engine

Timeline

PublishedNov 1

Description

Two vulnerabilities in Cisco ISE could allow an authenticated, remote attacker to upload arbitrary files to an affected device. To exploit these vulnerabilities, an attacker must have valid Administrator credentials on the affected device. These vulnerabilities are due to improper validation of files that are uploaded to the web-based management interface. An attacker could exploit these vulnerabilities by uploading a crafted file to an affected device. A successful exploit could allow the attac…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDcisco/identity_services_engine4 versions+3

▶CVEListV5cisco/cisco_identity_services_engine_software39 versions+38

🔴Vulnerability Details

CVEList

CVE-2023-20196: Two vulnerabilities in Cisco ISE could allow an authenticated, remote attacker to upload arbitrary files to an affected device↗2023-11-01

▶

GHSA

GHSA-c3jv-24xc-jqh6: Two vulnerabilities in Cisco ISE could allow an authenticated, remote attacker to upload arbitrary files to an affected device↗2023-11-01

▶

📋Vendor Advisories

Cisco

Cisco Identity Services Engine Vulnerabilities↗2023-11-01

▶